Data of a computer system can be secured from malware. During a Primary Operating System (PrimaryOS) run-time, the system determines if the computer system has been compromised and, if so, a Trusted Operating System (TrustedOS) is launched and assumes control of the hardware resources and the software resources of the computer system. The TrustedOS obtains a cryptographic key that is inaccessible to the PrimaryOS. The TrustedOS uses the cryptographic key to disable writing to a first portion of the storage media that includes the first set of logical block addresses. The PrimaryOS can incrementally back-up files to a second set of logical block addresses on a second portion of the storage media. Control of the hardware resources and the software resources is returned to the PrimaryOS.

Devices and techniques for on-demand programmable atomic kernel loading are described herein. A programmable atomic unit (PAU) of a memory controller can receive an invocation of a programmable atomic operator by the memory controller. The PAU can then perform a verification on a programmable atomic operator partition for the programmable atomic operator. Here, the programmable atomic operator partition is located in a memory of the PAU. The PAU can then signal a trap in response to the verification indicating that the programmable atomic operator partition is not prepared.

An information handling system may include at least one processor and a memory. The information handling system may be configured to: host a container; execute a containerized application within the container, wherein the containerized application executes with privileges associated with a container-internal user; determine an association between the container-internal user and a host user associated with an operating system external to the container, wherein the determining is based on a cache that maintains a mapping between container-internal users and host users; and grant privileges to the containerized application based on the host user.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating signed addresses. One of the methods includes receiving, by a component from a device, a plurality of first requests, each first request for a physical address and including a virtual address, determining, by the component, a first physical address using the virtual address, generating a first signature for the first physical address, and providing, to the device, a response that includes the first signature, receiving, from the device, a plurality of second requests, each second request for access to a second physical address and including a second signature, determining, by the component for each of the plurality of second requests, whether the second physical address is valid using the second signature, and for each second request for which the second physical address is determined to be valid, servicing the corresponding second request.

The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

A micro-controller chip is coupled to an external memory and includes a central processing unit (CPU), an address reorder circuit, and an address bus. The CPU is configured to provide a first internal address. The address reorder circuit calculates a unique identifier and a seed code to generate a base parameter and performs a reorder operation for the first internal address according to the base parameter to generate a first encryption address. The address bus is coupled between the address reorder circuit and the external memory to provide the first encryption address to the external memory. The external memory stores specific data according to the first encryption address.

Methods, systems, and devices associated with techniques for secure writes by non-privileged users are described. A memory device may be configured with one or more blocks of memory operating in a secure write mode. The memory device may receive an append command from a non-privileged user. The append command may indicate data to write to the block of memory at an address determined by the memory device. The memory device may identify a pointer to the address for storing the data within the block of memory. The memory device may write the data to a portion of the block of memory based on identifying the pointer and may update the pointer associated with the block of memory based on writing the data.

Assessing protection for storage resources, including: identifying a set of active data protection features for one or more storage resources; generating a data protection assessment based on the set of active data protection features; and reporting the data protection assessment.

Validating code that is stored in non-volatile memory. In some instances, code that is written and/or processed by an outside entity that is brought into a local non-volatile memory setting can potentially compromise a given computer system. In order to ensure that this type of code is secure, there are methods to generate interrupt signals that can later be overridden by Otprom code in order to properly validate this outside code.

A method and apparatus for controlling access to memory is disclosed. In one implementation, a memory controller may receive a memory access request that may include a virtual memory address, a device identifier (ID) and a protected access indicator. Additionally, the memory controller can receive page table entries including a physical memory address based on the virtual memory address and a security attribute associated with the physical memory address. The memory controller may access a memory based on the physical memory address, the security attribute, the protected access indicator, and the device ID.